Threat Detection Across Infrastructure and Workloads

A compromised container does not announce itself. It spawns a reverse shell, writes to /etc/passwd, or opens an outbound connection to a command-and-control server. If you are not watching at the right layer, you miss it entirely.

The CKS exam domain "Monitoring, Logging and Runtime Security" (20% weight) explicitly tests your ability to detect threats within physical infrastructure, apps, networks, data, users and workloads. Prevention is essential, but it has limits. Runtime detection catches what prevention misses: the misconfigured policy, the zero-day exploit, the compromised service account.